[Samba] Question about silos and Authentication policies

Stefan Kania stefan at kania-online.de
Tue Oct 24 08:04:12 UTC 2023 

Hi Rob,

I'm also not a Windows-Admin ;-) But I have customers who need this kind 
of things, so I have to test it. At the moment I can't even get it run 
in a pure windoes-environment :-( but I kno someone who can help me. So 
far I compaired the lidif of the object of a user and a computer when 
assign a silo to these objects. That is the same in Windows and Samba. 
The objects of a auth-polic and auth-silo looking a bit different on 
both systems. As soon as I know more and maybe get it working, you will 
get more infos from me.

Stefan

Am 23.10.23 um 23:03 schrieb Rob van der Linde via samba:
> Hi Stefan,
> 
> We had a long weekend in New Zealand, I'm catching up now to your emails.
> 
> Some of the slight differences between Windows tools I've already picked 
> up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm 
> always open to learning what things are missing or different etc.
> 
> On 23/10/23 02:58, Stefan Kania via samba wrote:
>> Talking to myself again ;-)
>>
>> Samba-tool is working a little bit different then the silo/policy 
>> management on a Windows-DC.
>> On a Windows-DC after assigning the user and host to the silo you have 
>> to assign the silo to the user and the host. When assigning the user 
>> and host to the silo with samba-tool, the assignment to the user and 
>> the host will be done at the same time. So now my policy looks like that:
>> -------------
>> root at addc-01:~#  samba-tool domain auth policy view --name=winclient-pol
>> {
>>   "cn": "winclient-pol",
>>   "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
>> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>   "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy 
>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>   "instanceType": 4,
>>   "msDS-AuthNPolicyEnforced": true,
>>   "msDS-ServiceTGTLifetime": 60,
>>   "msDS-StrongNTLMPolicy": 0,
>>   "name": "winclient-pol",
>>   "objectCategory": 
>> "CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
>>   "objectClass": [
>>     "top",
>>     "msDS-AuthNPolicy"
>>   ],
>>   "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d"
>>
>> -------------
>>
>> The silo looks like this:
>> -------------
>> root at addc-01:~#  samba-tool domain auth silo view --name=winclient-silo
>> {
>>   "cn": "winclient-silo",
>>   "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
>> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>   "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy 
>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>   "instanceType": 4,
>>   "msDS-AuthNPolicySiloEnforced": true,
>>   "msDS-AuthNPolicySiloMembers": [
>>     "CN=WINCLIENT,CN=Computers,DC=example,DC=net",
>>     "CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net"
>>   ],
>>   "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN 
>> Policies,CN=AuthN Policy 
>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>   "msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN 
>> Policies,CN=AuthN Policy 
>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>   "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
>> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>   "name": "winclient-silo",
>>   "objectCategory": 
>> "CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=example,DC=net",
>>   "objectClass": [
>>     "top",
>>     "msDS-AuthNPolicySilo"
>>   ],
>>   "objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad"
>> -------------
>>
>> My user "cn=protected admin" looks like this:
>> -------------
>> dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: protected admin
>> sn: admin
>> givenName: protected
>> instanceType: 4
>> whenCreated: 20231020125659.0Z
>> displayName: protected admin
>> uSNCreated: 4267
>> name: protected admin
>> objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> primaryGroupID: 513
>> objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106
>> accountExpires: 9223372036854775807
>> sAMAccountName: padmin
>> sAMAccountType: 805306368
>> userPrincipalName: padmin at example.net
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net
>> userAccountControl: 512
>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net
>> memberOf: CN=Protected Users,CN=Users,DC=example,DC=net
>> lastLogonTimestamp: 133422806290994480
>> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN 
>> Silos,CN=AuthN Polic
>>  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
>> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN 
>> Silos,CN=AuthN Policy
>>   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
>> pwdLastSet: 133424547343802100
>> whenChanged: 20231022132534.0Z
>> uSNChanged: 4319
>> lastLogon: 133424547477453410
>> logonCount: 12
>> distinguishedName: CN=protected 
>> admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne
>>  t
>> -------------
>>
>> And the host:
>> --------------
>> dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> objectClass: computer
>> cn: WINCLIENT
>> instanceType: 4
>> whenCreated: 20231019160325.0Z
>> uSNCreated: 4225
>> name: WINCLIENT
>> objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972
>> userAccountControl: 4096
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> pwdLastSet: 133422050057063700
>> primaryGroupID: 515
>> objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104
>> accountExpires: 9223372036854775807
>> sAMAccountName: WINCLIENT$
>> sAMAccountType: 805306369
>> dNSHostName: winclient.example.net
>> servicePrincipalName: HOST/winclient.example.net
>> servicePrincipalName: RestrictedKrbHost/winclient.example.net
>> servicePrincipalName: HOST/WINCLIENT
>> servicePrincipalName: RestrictedKrbHost/WINCLIENT
>> servicePrincipalName: WSMAN/winclient.example.net
>> servicePrincipalName: WSMAN/winclient
>> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net
>> isCriticalSystemObject: FALSE
>> lastLogonTimestamp: 133422050059426810
>> operatingSystem: Windows 11 Pro
>> operatingSystemVersion: 10.0 (22621)
>> msDS-SupportedEncryptionTypes: 28
>> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN 
>> Silos,CN=AuthN Polic
>>  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
>> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN 
>> Silos,CN=AuthN Policy
>>   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
>> whenChanged: 20231020163411.0Z
>> uSNChanged: 4289
>> lastLogon: 133424546464979900
>> logonCount: 30
>> distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net
>> --------------
>>
>> So in both objects you can see the two Attributes:
>> ------------------
>> msDS-AuthNPolicySiloMembersBL:
>> msDS-AssignedAuthNPolicySilo:
>> ------------------
>>
>> These Attributes look the same on a Windows Active Directory. I build 
>> the same domain with Window-Server 2022 and FL 2016. There it works.
>>
>> In my Samba-domain I can assign everything, but my user "cn=protected 
>> admin" can still log in to my host "winclient" :-(
>>
>> Has anyone tried it yet and get it working?
>>
>>
>> Am 20.10.23 um 19:57 schrieb Stefan Kania via samba:
>>> Now I created a policy with:
>>>
>>> ---------
>>> samba-tool domain auth policy create --enforce --name winclient-pol
>>> ---------
>>>
>>> and a silo with:
>>>
>>> ---------
>>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>>
>>> The I add the following objects to the silo
>>> ---------
>>> samba-tool domain auth silo member add --name=winclient-silo 
>>> --member=padmin
>>>
>>> samba-tool domain auth silo member add --name=winclient-silo 
>>> --member=winclient\$
>>> ---------
>>>
>>> Then assigning the policy to the silo with:
>>>
>>> -------------
>>> samba-tool domain auth silo modify --name=winclient-silo 
>>> --policy=winclient-pol
>>> -------------
>>>
>>> The next step would be to assign the silo to the user and the host, 
>>> but I don't see any option in "samba-tool domain auth ..." to do 
>>> this. The same with adding the host to the policy.
>>>
>>> On a windows-System I would do this with "ADAC" But I can't use it 
>>> with a samba-DC.
>>>
>>> Is there a way to do it with samba-tool, or any other tool?
>>>
>>>
>>
>>
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre 
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter 
https://www.dgn.de/dgncert/index.html
Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html

Neuer GPG-Key der public key befindet sich im Anhang


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20231024/8ee42471/OpenPGP_signature.sig>

More information about the samba mailing list